Out-Law / Your Daily Need-To-Know

Data breaches reported to ICO almost double in half a year

The number of personal data breaches in the health sector that were reported to the Information Commissioner's Office (ICO) in the third quarter of 2013 was almost double the number reported in the first three months of last year.

The UK's data protection watchdog published new figures that show a general 25% increase in the number of cross-industry data breaches reported to it in Q3 of 2013 relative to Q1. However, the figures showed an even greater rise in the breaches reported by health sector bodies over the period.

Between January and the end of March 2013, health bodies reported 91 data breach incidents to the ICO. In the second quarter of the year 137 breaches were reported by organisations in the sector and a further 160 breaches were reported to the ICO in the period covering the beginning of July to the end of September.

The figures, newly published by the ICO, reveal that a total of 420 data breaches across all sectors were reported to the watchdog in Q3 last year compared with 335 during the first three months of 2013.

Other than health sector bodies, local government organisations reported the most number of breaches during the nine months, with 57, 68 and 55 breaches reported to the ICO during the three separate three-monthly periods respectively. Data breaches reported by central government departments numbered 13 during Q3 of 2013, up from eight during Q1.

The Data Protection Act does not compel organisations to report personal data breaches to the ICO. However, some organisations, including those operating in the health and telecommunications sectors, are required to notify the ICO when they experience such an incident. In addition, the ICO has recommended self-reporting of breaches as good practice and has confirmed that organisations stand to be treated more leniently in relation to enforcement action for data breaches where they own up to the incidents occurring.

A data breach notification regime for all organisations is envisaged under proposed reforms to the EU data protection framework.

New rules outlined last August set out when telecoms companies, or providers of publicly available electronic communications services, are required to notify regulators, and individuals, of personal data breaches. In the UK, those telecoms companies must generally inform the ICO within 24 hours of detecting that they have experienced a personal data breach.

Those companies have to supply the ICO with a range of information about the breach, including the estimated date and time of the incident, the nature and content of the personal data concerned and how many individuals are affected.

Four data breaches were reported to the ICO by telecoms companies in the third quarter of 2013, compared with two during Q1 and one during Q2.

The most common type of breach experienced by organisations in Q3 of 2013 was where personal data was disclosed in error, which happened on 196 occasions, according to the ICO's figures. Paperwork was lost or stolen in 62 cases and hardware lost or stolen in 32 instances.